Delegation of Control of DNS Zone Administration

Overview

Members of the built-in DNSAdmins security principal in an Active Directory domain are granted following default permissions: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions.

In a large organization, there may be a need to delegate control of the DNS Zone Administration to regional or branch office network administration groups or to the SOC team, who may have to create honeypot DNS entries. This article outlines one possible way to configure the delegation.

For this illustration, the regional network administration team is assumed to be located in the APAC region and create their first Active Directory integrated DNS Zone called lazydog.com

Procedure

In order to keep the default Active Directory permissions on the defaultNC or the DomainDNSZones partition intact and to delegate control of DNS Zone Administration, this procedure requires the creation of a custom application partition.

The application partition can be replicated to all the domain controllers in the domain or to specific number of domain controllers. For fault tolerance purposes, it is recommended that the replica set spans at least two domain controllers. One of the replica can be on a DC in the region or branch office and the other replica can be on DCs in other regions or in the central office.

Technical Details

1. Create custom Application Partition for DNS

Note: You will need domain admin rights in the forest root domain to perform this task.

Log into a domain controller in the child domain with Domain Admin account.

Launch command prompt.

Using RUNAS, change user context to forest root Domain Admin account

Using DNSCMD.EXE, create custom application partition for the specific purpose of DNS. For this lab exercise, we will use the FQDN apDNSAPAC.win.

Note: It is not necessary to have the DNS namespace of the custom application partition in the same DNS domain hierarchy as any one of your current DNS domains. The name apDNSAPAC.win is generic and will work in almost all cases.

dnscmd %computername% /createDirectoryPartition apDNSAPAC.win

Add at least one more domain controller to the replica set

dnscmd [nextDCinDomainFQDN] /enlistDirectoryPartition apDNSAPAC.win

Note: You can also create the application partition and add replicas using NTDSUTIL command. The container CN=MicrosoftDNS is created only when the first DNS Zone is hosted in the newly created application partition. With DNSCMD, the container is created immediately.

Review replica set

dnscmd %computername% /DirectoryPartitionInfo apDNSAPAC.win

Ensure Replica count is greater than 1.

Launch LDP.EXE or other LDAP browser of your choice to confirm you can connect to the base DN of the newly created application partition. The container CN=MicrosoftDNS,DC=apDNSAPAC,DC=win should be listed in list of partitions that are hosted on the DC.

7. Create DNS Records

This step illustrates the setup of a DNS Sinkhole. Use an IP address of honeypot server that suits your environment.

Select a domain computer on your network that has RSAT for Windows already installed.

Using your domain account that has membership in the newly created security group i.e. APAC Region DNS Zone Administrators, log into the domain computer

Launch command prompt

Run following commands to create DNS Record

Use @ to block or to redirect the domain lazydog.com

dnscmd apDNSAPAC.win /recordAdd lazydog.com @ A 127.0.0.1

or

Use * to block or redirect all the names in the domain lazydog.com

dnscmd apDNSAPAC.win /recordAdd lazydog.com * A 127.0.0.1

Launch DNSMGMT.MSC

Select or Add DNS Server apDNSAPAC.win

Expand Forward Lookup Zone

Select DNS Zone lazydog.com

View DNS Records

Confirm the DNS Record @ ( parent folder ) is created and has target IP address set as 127.0.0.1

Close DNSMGMT.MSC

8. Summary

As mentioned at the beginning of this article, this is one method we have come up with for Delegation of Control of the DNS Zone Administration task. May be there are other better ways of implementing the same. Your comments will be greatly appreciated.

The solution proposed in this blog may be implemented to setup DNS Sinkhole, however, it is limited to on-premises network. For scenarios that deal with corporate devices operating on untrusted networks such as at home, coffee shops, airport lounges, etc. please consult with our pre-sales team to discuss how Synergix Active Directory Client Extensions or ADCE can help.